Further to the intensification of hostilities since 7 October 2023 and horrific loss of civilian lives, the CyberPeace Institute has observed an escalation in cyberattacks in the context of the ongoing conflict in Israel and the occupied territories. Cyber operations are being conducted by multiple threat actors, with cyberattacks being directed against both Israeli and Palestinian entities.
One of the most used types of cyberattacks linked to the current hostilities in this armed conflict are Distributed Denial of Service (DDoS) attacks. A DDoS attack is when the availability of an online resource such as a website is disrupted due to the malicious flooding of a targeted server with internet traffic.
Cloudflare detected DDoS attacks against Israeli websites approximately twelve minutes following the armed attack by Hamas on 7th October which led to an appalling loss of civilian lives. A Cloudflare report reveals that Israeli websites have been heavily targeted with DDoS attacks by pro-Palestine threat actors following the events of 7th of October.1 The CyberPeace Institute has also identified pro-Israel threat actors conducting DDoS attacks against Palestinian websites. Nevertheless, the Institute’s analysis leads to the conclusion that Israeli entities are targeted by DDoS attacks significantly more than Palestinian entities.
Other types of cyberattacks are also being carried out in the context of these hostilities. Defacement operations, where a threat actor alters a website’s appearance, content or functionality, are being conducted. According to Darkowl, both pro-Palestine and pro-Israel groups are conducting defacement operations of websites. However, their initial research shows that there are more defacement attacks conducted by pro-Palestine groups against Israeli websites.2 According to a study conducted by the University of Cambridge Cybercrime Centre, there have been over 500 defacement operations against Israeli websites during the period 7th to 16th of October.3 The CyberPeace Institute has also identified reports of alleged “hack and leak” operations, which is the theft and leak of data for political or ideological purposes. However, these claims have not yet been able to be verified.
As we have evidenced in the case of the armed conflict in Ukraine, hacktivism plays an important role in how armed conflicts extend to cyberspace. Hacktivist collectives are independent groups of people conducting malicious cyberactivities motivated by political or social ideology. According to a report from Falconfeeds, there are at least 90 pro-Palestine threat actors and 23 pro-Israel threat actors actively engaged in cyberthreats in the context of the Israel-Palestine conflict.4 Furthermore, certain pro-Russian hacktivists, known for orchestrating cyberattacks linked to the ongoing armed conflict in Ukraine, are also active in attacks in the ongoing Israel-Palestine conflict. The CyberPeace Institute has identified KillNet, Anonymous Sudan, BlueNet Russia and UserSec. These actors having claimed participation in attacks against Israeli entities.
As previously stated, many of the threat actors conducting cyberattacks are hacktivist collectives. Many of these hacktivist groups allegedly originate from locations outside of the conflict zone, such as Morocco, India, and Indonesia. This is different to the cyber threats linked to the ongoing armed conflict between the Russian Federation and Ukraine. In that conflict, the threat actors are primarily located in one or other of the two belligerent countries.
After an initial study carried out by the CyberPeace Institute, we have determined that not all threat actors are attempting to evidence their alleged operations. Out of 38 pro-Palestine threat actors assessed, only 15 provided credible proof of the cyberattacks they claim to have committed. Only 6 out of the 10 pro-Israel threat actors provided credible proof of the cyberattacks they claim to have committed.
There is a realistic probability that hacktivists are not the only type of threat actor involved in this escalation of cyberthreats. The cybersecurity company SentinelOne has identified a list of state-sponsored APTs (Advanced Persistent Threats). This list includes APTs linked to Hamas, Hezbollah and Iran capable of conducting more sophisticated cyberattacks. The cybersecurity company also warns of the likelihood of state-sponsored actors masquerading as hacktivist collectives.5
The online resources of both Israeli and Palestinian entities are being targeted. In the case of cyberattacks against Israeli entities, Cloudflare has reported that Israeli news media websites have been the main target since the 7th of October with over 56% of reported DDoS attacks carried out. For example, one of the threat actors, Anonymous Sudan, has claimed to have targeted an Israeli news media site with a DDoS attack. The attack caused the website to be down for a period of more than two days consecutively.6 Other targeted sectors include ICT, Financial and Public Administration. The CyberPeace Institute has also identified cyberattacks targeting the Education, Energy and Transportation sectors in Israel.
Palestinian entities in the Financial, ICT and News Media sectors are mainly being targeted by cyberattacks according to Cloudflare. Cyberattacks against the Public Administration sector in Palestine have also been observed by the CyberPeace Institute. Furthermore, the Institute has also identified two confirmed DDoS attacks conducted by Pro-Israel threat actors against two NGOs. This includes one local and one international, offering civilian services to Palestinians. The CyberPeace Institute does not publish the identities of entities targeted with cyberattacks in order to protect them.
The Institute has also identified a geographic spillover. Countries beyond Israel and the occupied territories are carrying out cyberattacks. For example, there have been cyberattacks against EU Institutions a few days after 7th October. Threat actors claiming involvement in these attacks have stated publicly that this was due to the EU’s initial support of Israel following the Hamas attack of 7th October.
As we have seen in other armed conflicts, information has become an important part of the conflict.7 Disinformation is false information that is maliciously spread with the intention to mislead. While kinetic operations are ongoing, parties to the conflict are promoting their narrative or version of the hostilities. Disinformation is explicitly being spread on social media. CyberWire states that much of the disinformation generated is specifically inline with Hamas’ interests.8 It is important to continue to monitor the disinformation in relation to this conflict. The CyberPeace Institute underlines the importance of checking the veracity of information with reliable sources before sharing it in order to reduce the spread of disinformation.
Internet Connectivity in Gaza
Lack of, or reduced, internet connectivity has become a factor affecting the civilian population in Gaza. Connectivity in the Gaza Strip started to drop following Israel’s military response to Hamas’ armed attack on 7th October. As Israel targets Hamas with kinetic operations in Gaza, Internet and phone services continue to be impacted. This is due to the damage caused to the telecommunications infrastructure.9
- On 27th October, some of the last remaining Internet access through the Palestinian telecommunications company, Paltel, went completely offline.10
- On 29th October, Paltel announced that telecommunication services were slowly starting to be restored after a near-total blackout of around 36 hours.11
The disruption of these services doesn’t only impact military objects. This also impacts civilian services who depend on connectivity in order to contact loved ones, seek medical support, access online services, coordinate rescue efforts and much more.
Targeting telecommunications networks adds to the confusion and fog of war, thus accentuating the impact on civilians during hostilities. According to Human Rights Watch, the total destruction of telecommunications in Gaza by the Israel Defense Forces not only affects civilians directly by cutting them off from critical infrastructure such as emergency services, but could also be considered “disproportionate” under International law.12
The CyberPeace Institute condemns the killing and abduction of civilians by Hamas. The Institute calls for the immediate release of civilians held by Hamas. The CyberPeace Institute also condemns unrestrained and indiscriminate attacks by Israel which are leading to the deaths and suffering of civilians in Gaza.
We call upon all parties to spare civilians, civilian objects and infrastructure which are ensuring the delivery of essential services, from attacks including cyberattacks and dissemination of harmful content.
The CyberPeace Institute is calling for restraint in the use of cyber, as well as in other attacks. Harm to civilians, civilian objects and infrastructure which are ensuring the delivery of essential services must be avoided.
The CyberPeace Institute calls on all parties to respect their obligations under International Humanitarian Law (IHL). Civilians and other protected persons must be respected and protected at all times.
- Yoachimik, O., Pacheco, J. (2023). ‘Cyber attacks in the Israel-Hamas war’. Cloudflare. Available at: https://blog.cloudflare.com/cyber-attacks-in-the-israel-hamas-war/ (Accessed: 31 October 2023). ↩︎
- Darkowl. (2023). ‘Hacktivist Groups Use Defacements in the Israel Hamas Conflict’. Darkowl. Available at: https://www.darkowl.com/blog-content/hacktivist-groups-use-defacements-in-the-israel-hamas-conflict/ (Accessed: 31 October 2023). ↩︎
- Vu, A.V. et al. (2023). “Defacement Attacks on Israeli Websites”. University of Cambridge Cybercrime Center. Available at: https://www.cl.cam.ac.uk/~rja14/Papers/gaza.pdf (Accessed: 6 November 2023). ↩︎
- Sahariya, M. (2023). ‘The Evolving Landscape of Cyber Warfare in the Israel-Palestine: A Comprehensive Analysis’. Falconfeeds. Available at: https://falconfeeds.io/blog/post/the-evolving-landscape-of-cyber-warfare-in-the-israelpalestine-conflict-a-comprehensive-analysis–356011 (Accessed: 30 October 2023). ↩︎
- Hegel, T. (2023). ‘The Israel-Hamas War |Cyber Domain State-Sponsored Activity of Interest’. SentinelOne. Available at: https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/ (Accessed: 31 October 2023). ↩︎
- Anonymous Sudan. (2023). Telegram. Available at: https://t.me/xAnonymousSudan/133 (Accessed: 31 October 2023). ↩︎
- Helmus, T., Marcellino, W. (2023). ‘Lies, Misinformation Play Key Role in Israel-Hamas Fight’. Rand. Available at: https://www.rand.org/blog/2023/10/lies-misinformation-play-key-role-in-israel-hamas-fight.html (Accessed: 2 November 2023). ↩︎
- CyberWire. (2023). ‘Cyber phases of the conflict between Israel and Hamas. Disinformation and content control. Cyberespionage and supply chain vulnerability’. CyberWire. Available at: https://thecyberwire.com/newsletters/daily-briefing/12/195 (Accessed: 31 October 2023). ↩︎
- O’kruk, A., Wilson, R. (2023). ‘Gaza’s disappearing internet, visualized.’ CNN. Available at: https://edition.cnn.com/2023/10/13/middleeast/gaza-internet-outage-map-visuals-dg/index.html (Accessed: 31 October 2023). ↩︎
- Burgess, M. (2023). ‘The Destruction of Gaza’s Internet is Complete’. Wired. Available at: https://www.wired.com/story/gaza-internet-blackout-israel/ (Accessed: 30 October 2023). ↩︎
- Aljazeera. (2023). ‘Internet, phone services return to Gaza after Israeli communications cutoff’. Aljazeera. Available at: https://www.aljazeera.com/news/2023/10/29/internet-phone-services-return-to-gaza-after-communications-blackout (Accessed: 31 October 2023). ↩︎
- Human Rights Watch. (2023). X. Available at: https://publish.twitter.com/?query=https%3A%2F%2Ftwitter.com%2Fhrw%2Fstatus%2F1719427260157931999&widget=Tweet ↩︎